Hackers post more stolen Minneapolis Public School data to dark web
MINNEAPOLIS -- Minneapolis Public Schools on Friday notified parents that hackers who stole district data in a recent system breach released that information onto the dark web, where users are untraceable.
The latest letter comes nearly three weeks after MPS first sent out an alert about an "encryption event."
"We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth comprehensive review to determine the full scope of what personal information was impacted," it reads. The district says it will contact people directly if they are impacted.
But cybersecurity experts warn that anyone associated with the district—current and former students, parents, staff and vendors—should assume they have been compromised until they've been told otherwise, and take action to protect themselves.
Ian Coldwater is a "professional hacker" that companies hire to expose vulnerabilities and share how they can improve security. The expert in computer systems is also parent of two children who are current and former students in Minneapolis Public Schools, whose personal data is also at risk.
"What concerns me about this data breach specifically is the sensitivity of some of this data," Coldwater said. "The scale and scope of this data breach is quite large and quite wide."
Among the pieces of data they said they saw in a trove of files the ransomware group dumped online: payroll information, protected health information, home addresses, phone numbers, disciplinary records, student records, pictures of students and staff, safety plans, union grievances, misconduct complaints and civil rights investigations.
"You name it—it's pretty much in there," Coldwater said.
Mark Lanterman, former member of the U.S. Secret Service Electronic Crimes Task Force, explained that the "dark web" as a back alley to the internet instead of the main street and users are completely anonymous. His firm Computer Forensic Services contracts with dozens of law enforcement agencies in Minnesota.
"You're not seen. You're invisible," Lanterman added. "This is so much worse than the breach of a retailer who issues credit cards because you can just call and cancel the credit card. This is information about us."
MPS administrators have declined WCCO's requests for an interview, and also have chosen not to answer questions sent via email.
Earlier this month, administrators told parents there was no evidence that the data has been used to commit fraud, but still encouraged employees, parents and staff to remain vigilant of suspicious emails or phishing attempts. In its latest correspondence to parents, the district said it would offer all potentially affected individuals free credit monitoring and identity protection services through Experian.
"My immediate advice is change all passwords to all your accounts, make sure you're monitoring statements, bank and credit card, and put a freeze on your credit report," Lanterman added. "Hackers are in business to make money, and one of the best ways to prevent yourself from being a victim is to make sure they can't take out loans or lines of credit in your name. Put a freeze on your credit report."
Coldwater wished there was clearer communication from the district about the impact of the attack because then individuals whose data is compromised can take swift action to protect themselves.
"I have personally seen less sky-is-falling fear and panic and more of people kind of just wondering what's going on. People want to know what's happening," they said. "I don't blame MPS for being hacked, but I don't think they responded to it as well as they could."
According to state officials, schools and universities were the targets of at least 78 cyber attacks in 2022, in addition to 111 counties and 39 municipalities.
International Falls School District was targeted in September 2022, just one week into the school year.
"It's an invasion. That feeling of an invasion of privacy," superintendent Kevin Grover of that district told WCCO in a recent interview. "Not knowing is the concern. They never came out and said here are the five things we have which are bad. It was all threats that we could put this on the dark web."
Medusa, the group claiming responsibility for the attack on MPS, released a video with information, setting the ransom at $1 million. A joint federal Cybersecurity Advisory (CSA) issued last year warned of Medusa's ransomware attacks and their pervasive methods of gaining access through remote access.
"Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email," officials explained, noting that organizations like school districts and health care systems should "focus on cybersecurity awareness and training" and "regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such as ransomware and phishing scams."
In their letter on Friday, MPS administrators cautioned families and staff on "receiving, interacting with, or responding to any suspicious emails or phone calls," while also directing those who accessed MPS devices from personal accounts to "change those account passwords."
The district also said it has "taken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal."
Lanterman said that does not change the fact that troves of sensitive and personal data remain online.
"This data does not expire like a credit card. This is us," he lamented. "This information is about us and our children, and I would strongly urge every parent to get specialized legal advice about how they, as victims, should respond to this."
Coldwater urges parents, staff and students not to panic, but take the threat seriously, recommending they do the following: change the passwords of all accounts accessed through district-owned devices, freeze credit, watch accounts closely and use multi-factor authentication.
Federal cyber officials also offer these four critical steps everyone can take to protect themselves online:
- Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
- Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
- Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
-Something you have — like a passcode you get via an authentication app or a security key.
-Something you are — like a scan of your fingerprint, your retina, or your face.
Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password. - Protect your data by backing it up. Back up your data and make sure those backups aren't connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
If you believe you've been a victim of identity theft, click here.
